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DETAILED ACTION 
Priority 

1 . Applicant's claim for benefit of domestic priority under 35 U.S.C. 1 1 9(e) is 
acknowledged. 

The application is filed on 8/21/2006 but has a U.S. provisional application number 

60/545,833 filed on 2/19/2004. 

Specification 

2. The disclosure is objected to because of the following informalities: "with Library to 
Library m" should be corrected with " Library 1 to Library m". Appropriate correction is required. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(a) the invention was l<nown or used by ottiers in ttiis country, or patented or described in a printed 

publication in this or a foreign country, before the invention thereof by the applicant for a patent. 
NOTE: The term "others" in 35 U.S.C. 1 02(a) refers to any entity which is different from the inventive entity. 
The entity need only differ by one person to be "by others." This holds true for all types of references eligible 
as prior art under 35 U.S.C. 102(a) including publications as well as public knowledge and use. 

3. Claims 1 - 3 and 9-20 are rejected under 35 U.S.C. 1 02(a) as being anticipated by 
Anderson (EP 1361527 A1). 

As per claim 1 and 18, Anderson teaches a method of providing a dynamic security 
management in an apparatus, the apparatus comprising: 

a platform for running an application (Anderson: Figure 1); 
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a security manager for handling access of the application to functions existing in the 
apparatus (Anderson: Figure 1 / Element 7); 

an application interface between the platform and the application (Anderson: Figure 1 / 
Element 4: API (Application Interface)); 

a set of access permissions stored in the apparatus and used by the security manager 
for controlling access of the application to functions through the application interface (Anderson: 
Column 3 Line 12-24) the method comprising: 

downloading into the apparatus an object containing access permissions applicable to at 
least one function (Anderson: Column 2 Line 39-41 / Line 50 - 54 and Column 3 Line 12-19: 
the downloaded application and signatures of permission information can be considered as the 
object); 

verifying the object (Anderson: Column 4 Line 21 - 24); and 
installing the access permissions together with the existing permissions (Anderson: 
Column 4 Line 28-30). 

As per claim 14 and 31 , Anderson teaches a method of providing a dynamic security 
management in an apparatus, the apparatus comprising: 

a platform for running an application (Anderson: Figure 1); 

a security manager for handling access of the application to functions existing in the 
apparatus (Anderson: Figure 1 / Element 7); 

an application interface between the platform and the application (Anderson: Figure 1 / 
Element 4: API (Application Interface)); 
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a set of access permissions stored in the apparatus and used by the security manager 
for controlling access of the application to functions through the application interface (Anderson: 
Column 3 Line 1 2 - 24 and Column 2 Line 50 - 54), the method comprising: 

storing the access permissions in a security policy (Anderson: Column 4 Line 49 - 58 
and Column 3 Line 56 - 58: access permission information is indeed related to a security 
policy); and 

providing the security policy with a hierarchical structure (Anderson: Column 4 Line 49 - 
58 / Line 3-30 and Figure 2: (a) a hierarchical structure of a set of root-certificates and 
attribute certificates; (b) where the root-certificate is mapped to an attribute certificate through 
an identifier (e.g. public key)). 

As per claim 2 and 1 9, Anderson teaches the object is verified by checking a certificate 
chain of the object (Anderson: Column 4 Line 20 - 38). 

As per claim 3 and 20, Anderson teaches verifying that a policy of the function allows 
updates (Anderson: Column 3 Line 20 - 24 and Column 4 Line 35 - 38). 

As per claim 9 and 26, Anderson teaches the access permissions are contained in a 
policy file (Anderson: Column 3 Line 56 - 58: access permission information is indeed related to 

a security policy). 

As per claim 10 and 27, Anderson teaches the policy file has a structure linking access 
levels of existing functions with a domain associated with the downloaded object (Anderson: 
Column 4 Line 4 - 57: (a) permission rights must be associated with an access level according 
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to a security policy and (b) a set of structures (e.g., permission certificates) are linked with an 
identifier (e.g., signature / public key identifier), which is qualified as a domain ID - i.e. a group / 

domain of mapped certificates ). 

As per claim 1 1 , 1 6, 28 and 33, Anderson teaches the policy file has a structure linking 
access levels of existing functions with information contained in a certificate chain (Anderson: 
Column 4 Line 20 - 38 and Column 4 Line 4 - 57). 

As per claim 12, 17, 29 and 34, Anderson teaches the information includes a signature 
of the end entity certificate, a signature of an intermediate certificate, or specific level 
information (level OID) (Anderson: Column 4 Line 19 - 24: a signature). 

As per claim 13 and 30, Anderson teaches the policy file has a structure including logical 
expressions (Anderson: Column 4 Line 50 - 54: a file structure indeed includes logical 
expressions). 

As per claim 15 and 32, Anderson teaches the security policy has a structure linking 
access levels of existing functions with a domain associated with the downloaded object 
(Anderson: Column 4 Line 4 - 57 / Line 20 - 38: (a) permission rights must be associated with 
an access level according to a security policy and (b) a set of structures (e.g., permission 
certificates) are linked with an identifier (e.g., signature / public key identifier), which is qualified 
as a domain ID - i.e. a group / domain of mapped certificates ). 
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As per claim 35, Anderson teaches the apparatus is a portable telephone, a pager, a 
communicator, a smart phone, or an electronic organizer (Anderson: Column 2 Line 37-41). 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 4-8 and 21 - 25 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 

over Anderson (EP 1 361 527 A1 ), in view of Yarsa et al. (U.S. Patent 6,760,91 2). 

As per claim 4, 7, 21 and 24, Anderson does not disclose expressly installing a library 
comprising new routines and/or new functions to be called by an application or another library 
stored in the apparatus to enable access of functions through the application interface. 

Yarsa teaches installing a library comprising new routines and/or new functions to be 
called by an application or another library stored in the apparatus to enable access of functions 
through the application interface (Yarsa: Column 3 Line 9 - 20: DLL Library routines called by 
an applet class application program with built-in security mechanism). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Yarsa within the system of Anderson because 
(a) Anderson teaches a security mechanism of defining a generic profile for controlling an 
interface in connection with applications so that the application is allowed limited access to 
existing software / function through an interface (Anderson: Column 3 Line 55 - 58 and Column 
2 Line 50 - 54), and (b) Yarsa teaches an improved security mechanism on API (Application 
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Interface) by providing functions with built-in dynamic link library (.DLL), namely, native code 
library, and accessed through the Java Native Interface (JNI) by a class that has access rights 
to load DLL library codes (Yarsa: Column 3 Line 9 - 20: DLL Library routines called by an applet 
class application program with built-in security mechanism). 

As per claim 5, 8, 22 and 25, Anderson as modified teaches the new routines and/or 
new functions can access existing functions through the library (Yarsa: Column 3 Line 9 - 20). 

As per claim 6 and 23, Anderson as modified teaches when accessing functions, 
recursively checks the permissions of the application interfaces and libraries in a linked chain 
related to the called functions (Yarsa: Column 3 Line 9 - 20). 



Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The 
examiner can normally be reached on Monday-Friday 9:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Longbit Chai/ 

Longbit Chai E.E. Ph.D 
Primary Examiner, Art Unit 2431 
10/13/2008 



